Effective Risk Management: How to Empower Your Front Lines

A cyber-attack has just hit your organisation. Operations have come to a halt. The IT team is scrambling to restore servers. The Finance department is crunching numbers to calculate the impact on the financial accounts. The Marketing team is spinning up a crisis communication strategy. Across the organisation, every employee has been prepped with a go-to statement to keep messaging aligned. 

This extreme — albeit feasible — scenario is intended to highlight just how involved the front lines can become once a risk has materialised. It is this very set of stakeholders who often face initial exposure to the risk and also bear responsibility for the mitigating actions. And yet, a disconnect can still exist between ERM and front-line teams, which is usually uncovered when the age-old question is asked during the post-incident reviews — “what went wrong?”

A significant part of the risk management process requires consultation with process owners during the initial identification of the policies, procedures and internal controls employed to manage risks accordingly. But unless a fire actually does break out, the front line can end up forgotten (be it purposefully or unintentionally) in the subsequent stages of the cycle. This lack of integration usually stems from the traditional hierarchical structures that prioritise ERM and Executive Management input. With organisations increasingly adopting a more “bottom-up” approach across decision-making in conjunction with technological advancements to accelerate cross-functional connectedness, now may be the perfect time to ask yourself: “how involved are our front-line teams in the risk management process?” 

In accordance with a commonly-adopted ERM process that identifies four key phases of risk management (Identify, Assess, Respond, and Monitor), I’ll break down how the front line can be the key to quicker risk identification, more accurate assessment of risks and efficient management of risk responses across these phases.

Front Line Management Across the Risk Management Cycle

1. Identify

If risks are the events that may prevent an organisation from achieving its strategic objectives, then having an acute awareness of those objectives is the first step in risk identification. However, the same logic applies to the different layers within an organisation, as there are likely to be further specificities in the objectives identified at the functional or entity-level (i.e.Business Unit, Location, Region — essentially a group of critical components of your organisation). In order to fully understand these specificities and the associated “entity risks”, it is imperative that the entity’s functional objectives are not only defined to begin with, but also understood by those who have a stake in the entity risks. 

Having a robust understanding and ongoing awareness of entity risks within every single function can be a tough task for a central ERM team, particularly in complex or decentralised organisations. Furthermore, strategic or principal risks may not necessarily be applicable to each and every single entity. But without appropriate oversight of entity risks, ERM will of course be prone to these functional blind spots. It’s important to extend risk identification to the “boots on the ground” in the initial risk identification stages. 

Consider the following suggestions for either top-down or bottom-up risk identification — or even a combination of both:

1. You go to the business: Sending out risk surveys to the business may be an invaluable way of collating key risk information from front line teams. The aim here would be to request key information which may be indicative of previously unaccounted risks at the entity level. AuditBoard’s WorkStream feature can help streamline this process by collecting risk information from the business via an intuitive survey-based workflow.

1. The business comes to you. Another approach is to encourage the front lines to be proactive and forthcoming in their identification of risks; think of it as a digital “open door policy”. Imagine if anyone in the business could propose a new risk, at any given point in time. I know what you’re thinking: “the business wouldn’t articulate risks in a consistent manner, it would be administrative chaos,” and so on. However, this approach would be best managed via a triaging process — AuditBoard’s Risk Intake feature would be a great solution here, since the delegated (ERM) function could easily review risks that have been proposed by the business and formally capture them in the Risk Library once they are content with the information provided.

2. Assess

Risk assessments may traditionally be a laborious task to administer, particularly if they are issued frequently and to a multitude of functions — but they don’t have to be! Consider the ways that you can streamline this process so that risks are being assessed both effectively and appropriately. 

First, look at the risk assessment cadence. If the risk assessment needs to take place at a defined frequency, then creating an automatic recurrence to remove the administrative burden of pressing “send” to all those functions every quarter would be optimal. But if there is scope for less rigidity, or you want to encourage risk owners to proactively assess the risks at any given point, consider adopting an “ad-hoc” style of risk assessment. AuditBoard’s risk assessment capabilities can support either format.

Additionally, look at the recipients of the risk assessment. Understandably, traditional risk assessments are issued to each Risk Owner individually; you could argue that this is rule number one of accountability. However, consider whether there is potential for a more collaborative approach like interview-style risk assessments. Not only would this mean consulting a wider range of stakeholders to gather more diverse perspectives and insights into the true risk impact, but it encourages alignment amongst functional teams, potentially producing a more reliable final assessment output.

3. Respond

We’ve all heard of the 4 T’s when capturing risk responses — Tolerate, Treat, Transfer, Terminate. Well, here’s another T to consider: Trust. Trust those who are accountable for mitigating risk and enable them to act proactively outside of the Identify and Assess stages. The front-line teams who are exposed to and affected by risks may well have had earlier visibility than realised, but without the opportunity to sufficiently capture it can be challenging to get accurate and real-time visibility of an impending disaster. As such, risk identification should be an ongoing process. The aim here is to instil a culture of continuous risk-thinking — don’t just reach out to stakeholders when the alarm bell rings, or when the risk mitigation plans are approaching their due date. 

A practical way to drive such an approach could be to periodically issue risk certifications by way of a questionnaire to confirm that the risk information is still accurate or confirm if there are any anticipated deviations to the risk mitigation plan. This is easy to accomplish in AuditBoard, which allows teams to adjust and tailor risk survey templates for different types of stakeholder interaction. Not only does this mean promoting the ongoing risk dialogue amongst entities, but it also means easily obtaining up-to-date risk information and therefore allowing for more accurate reporting in the final stage of the process.

4. Monitor/Report

Arguably, monitoring and reporting is the stage where having adequate front-line oversight can most often be overlooked. As you prepare for Executive Updates and Risk Committee meetings, you may well have forgotten the key stakeholders who have been included in the process up until now. Capitalise on the quality information that has been captured by producing rich, meaningful outputs for front-line teams, not just within ERM and above. The key is to make it relevant to their role — think “I” in RACI, a common framework used to define the roles of a team as Responsible, Accountable, Consulted, and Informed. 

Whether it be a one-size-fits-all style of reporting or a customised dashboard for each function/entity, having these tailored outputs that sufficiently inform the front line will provide transparency into their risk environment. Even better, it enables them to recognise first-hand how their contributions have mattered in the wider context of organisational risk management. 

Including the front line in risk reporting not only closes the risk management loop effectively, but it also promotes inclusivity and may inform better decision-making ahead of the next iteration of the process. 

Close the Gap With Connected Risk

Don’t wait until the threat hits before you start the risk conversation with your organisation. Ensure there is ample opportunity for the business to be forthcoming in timely identification of risks, particularly if they are the ones who are closest to the fire and the hose. Start dissecting your risk management process to try and uncover where there is scope for greater front line involvement even beyond risk identification.

Particularly for organisations whereby entities are disparate or where resources may be stretched thin, this presents an opportunity to leverage technology and stride towards a Connected Risk environment which not only means a more effective use of resources, but a more inclusive, pro-risk culture throughout the organisation.

To learn more about how to take your risk management to the next level with AuditBoard, watch the 2-minute overview here!